A new warning for Android users this week, with videos attached to messages hiding a nasty surprise. What seems like a simple video masks malicious code that executes on download. It’s the latest warning for Telegram’s billion users to beware.
This attack exploits the way in which Telegram handles media. “The main reason for the vulnerability is that the ‘.htm’ file format in the response to Telegram servers is perceived as a video. The “.htm” code snippet is opened in a browser under ‘content:/‘… allowing the specified HTML page to be triggered and opened.”
When Is Your Samsung Galaxy S24, S23 Getting Android 15?
So says the new report from Cti Monster published this week. This is EvilLoader which follows EvilVideo, which we have seen before and which “allows attackers to download and run additional malicious payloads on target systems.” If your phone is infected, you can expect credentials and private data to be stolen, and banking trojans to be installed.
Because this isn’t a video file, a media player will fail to play it. “It can redirect to the default browser, or if it is understood to be an ‘HTML file,’ it can be double-clicked to open in the browser. This allows the malicious JavaScript to run.” If a user has downloaded the file to their phone, “thinking it was a video, the browser actually runs the HTML content, and the IP information goes to the attacker’s server.”
Google Starts ‘Silently’ Tracking Your Phone—How To Stop It
Since its first outing, EvilLoader now checks for a sandbox environment which likely means a security analyst’s machine and it only runs in target geographies. The malware has also been caught triggering fake security warnings to have users change settings. All of which means the original CVE-2024-7014 patched last year needs revisiting.
Telegram users must ensure they’re running the latest version of the app from an official store, and be very wary of playing video files from unknown sources or in obviously viral forwarded messages or forums. As for Telegram, they are cleaning house to an extent and so we can expect a response. I have reached out for any comment.
